The BROP attack makes it possible to write exploits without possessing the
target's binary. It requires a stack overflow and a service that restarts
after a crash. Based on whether a service crashes or not (i.e., connection
closes or stays open), the BROP attack is able to construct a full remote
exploit that leads to a shell. The BROP attack remotely leaks enough gadgets
to perform the write system call, after which the binary is transferred from
memory to the attacker's socket. Following that, a standard ROP attack can be
carried out. Apart from attacking proprietary services, BROP is very useful in
targeting open-source software for which the particular binary used is not
public (e.g., installed from source setups, Gentoo boxes, etc.).

The attack completes within 4,000 requests (within minutes) when tested against
a toy proprietary service, and real vulnerabilities in
nginx and MySQL.

The fundamental problem sometimes seen in servers is that they fork a new
worker process after a crash, without any rerandomization (e.g., no execve
follows the fork). nginx for example does this.

Downloads

A generic 64-bit exploit for nginx 1.4.0 that uses BROP, optimized for nginx's case.
This also includes an IP fragmentation router to make the attack possible on
WANs. nginx does a non-blocking read on a 4096 byte buffer, and typical MTUs
are 1500, so IP fragmentation is needed to deliver a large TCP segment that
will result in a single read of over 4096 bytes.